Colorado added to the United States’ patchwork approach to data privacy regulation this week. On July 7, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (“CPA”), a sweeping law that creates substantial new obligations for organizations that process the personal data of Colorado residents. The CPA is scheduled to become effective on July 1, 2023. Between now and the effective date, organizations with business operations or customers in Colorado should carefully assess whether they fall within the CPA’s scope (whether they are located in Colorado or not), and work toward compliance if the law applies to them.
In enacting the CPA, Colorado joins California and Virginia as the third state with a broad privacy law intended to grant consumers additional control over the collection and use of their personal data. The California Consumer Privacy Act (“CCPA”) was passed in 2018, became effective on January 1, 2020 and was substantially amended by the California Privacy Rights Act (“CPRA”) in November 2020. The CPRA amendments take effect on January 1, 2023. The Virginia Consumer Data Protection Act (“CDPA”) was enacted in March 2021 and is also scheduled to take effect on January 1, 2023. You can find our most recent updates on those laws here and here. As discussed below, the CPA’s provisions are similar to the CCPA/CPRA and CDPA in a number of key ways.
To whom will the Colorado Privacy Act apply?
The CPA will apply to organizations that conduct business in Colorado, or produce or deliver commercial products or services that are intentionally targeted to Colorado residents (“consumers”), and either: 1) control or process the personal data of more than 100,000 consumers per year; or 2) derive revenue or receive a discount on the price of goods or services from the sale of personal data of at least 25,000 consumers. Organizations that meet these thresholds are defined as “controllers.” The CPA also applies to “processors,” which are entities that process personal data on behalf of a controller. The CPA and Virginia’s CDPA draw this familiar nomenclature from the European Union’s privacy regulation, the General Data Protection Regulation (“GDPR”).
What information does the Colorado Privacy Act protect?
The CPA protects “personal data,” defined as information that is “linked or reasonably linkable” to an identified or identifiable individual, and excludes data which is either de-identified or publicly available. The CPA specifies that it will not apply to personal data processed in the context of employment or employment applications, so most human resources data will be exempt from its reach. The CPA also does not reach consumer information separately covered by certain other privacy laws, like Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Gramm-Leach-Bliley Act (“GLBA”). It also exempts certain entities, including airlines and public utilities. Notably, and unlike the CCPA and the CDPA, Colorado’s CPA applies to both for-profit and non-profit organizations.
What are the rights granted to Coloradans?
The CPA grants Colorado residents a number of new rights with regard to their personal data when it is being processed by a controller. These rights include the right to confirm that the controller is in fact processing their personal data, and to access, correct, delete, or obtain a portable copy of their personal data from controllers. Another key right is that Colorado residents will have the right to opt-out of the sale of their personal data, as well as the use of their personal data for targeted advertising and profiling.
What are the obligations placed on controllers and processors by the Colorado Privacy Act?
The CPA also creates new obligations for controllers. It requires them to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice,” which must set forth, among other things, the categories of personal data being collected or processed, the purpose of the processing, any sharing of personal data with third parties, and a description of the rights afforded to consumers. Controllers must also have mechanisms in place for honoring requests from consumers to exercise their CPA rights, and are prohibited from discriminating against individuals who do so. It also requires that controllers establish written contracts with processors, thereby limiting the scope of activities the processor can undertake with regard to data subject to the CPA, and binding the processor to safeguard the data. Finally, it requires controllers to conduct data protection assessments in certain circumstances and to obtain consent for the processing of “sensitive personal data,” which it defines as information regarding: racial or ethnic origin; religious beliefs; mental or physical health diagnosis; sexual orientation; citizenship or immigration status; genetic or biometric data; or data collected from individuals under thirteen years of age.
Processors that process personal data on behalf of controllers are obligated to assist the controllers with responding to requests from consumers to exercise their CPA rights, providing breach notifications, and conducting data protection assessments.
How will the Colorado Privacy Act be enforced?
The Colorado Attorney General is the primary enforcement authority for the CPA and is tasked with developing the implementing regulations. In addition to the Colorado Attorney General’s Office, the CPA provides for enforcement by the state’s district attorneys. The CPA also provides that these regulators must give any alleged violator 60 days’ notice and an opportunity to “cure” the violation before initiating an enforcement action. The CPA does not set a fine amount per violation, but violations would be classified as a deceptive trade practice under the Colorado Consumer Protection Act, which establishes a $20,000 fine per violation. The law contains no private right of action, so consumers will not be able to initiate suits based on alleged CPA violations.
What are some of the key differences among the Colorado, California, and Virginia privacy laws?
There are some notable contrasts between the CPA and the frameworks that California and Virginia have established. First, the California and Virginia acts both contain a revenue threshold, so if a company generates less than the specified figure, it is exempt from the scope of those acts. The CPA contains no revenue threshold, meaning it will likely apply to some smaller companies that fall outside the scope of the CCPA and CDPA. As noted above, the CPA also does not exempt non-profit entities from its scope, as the CCPA and CDPA do. And while the CDPA exempts entire entities that are subject to HIPAA or GLBA, the CPA only exempts personal data that is covered by those frameworks, meaning that some organizations might have to comply with HIPAA or GLBA for some data they process, and comply with CPA for other data.
The issue of what constitutes a sale also varies among these frameworks. While the CDPA defines a sale as data exchanged for monetary consideration only, the CPA’s definition of “sale” echoes the CCPA, defining “sale” as the exchange of personal data for “other valuable consideration” in addition to “monetary consideration.” Organizations subject to either the CCPA or CPA may face challenges in determining what constitutes “other valuable consideration” until further guidance emerges from the regulators or courts.
Data protection assessments are also a point of inconsistency. Neither the CCPA nor the CPRA amendments require them, but the CPA and the CDPA both require them where the processing of personal data creates a heightened risk to consumers. The CDPA and CPA both require organizations to provide their data protection assessments to regulators on demand, so organizations need to think ahead and carry out such assessments in a timely manner to be able to respond to requests from regulators.
In terms of enforcement, the CPA’s 60-day cure period is longer than the periods established in the CCPA and CDPA, both of which specify a 30-day period. However, the $20,000 fine that can be levied under the CPA exceeds the $7,500 fine limits set forth in the CCPA and CDPA. Additionally, the fact that the CPA can be enforced by district attorneys is unique, and may spur a greater volume of enforcement actions.
What are the first steps to Colorado Privacy Act compliance?
Organizations that collect or use the personal data of Colorado residents should conduct an analysis to determine whether they fall within the CPA’s scope. If so, they should undertake a close examination of their privacy notices, data sharing with third parties, contracts with vendors and service providers, ability to respond to consumer requests, and procedures for conducting data protection assessments.
Organizations collecting or using the personal data of Colorado residents must also beware of additional upcoming regulations. In a signing statement addressed to the legislature, Governor Polis stated that “several issues remain outstanding” with the CPA and expressed concern regarding whether it “strike[s] the appropriate balance between consumer protection while not stifling innovation and Colorado’s position as a top state to do business.” He encouraged “clean-up” legislation that could further impact the scope and obligations the CPA establishes.